Improper access control in Nextcloud Social app allowed to read posts of any user

The Social App ( does not validate the server TLS certificate for connections to other ActivityPub servers.

Thursday, 19 November 2020, 12:53 GMT
These connections are used to retrieve the public key for a user or posting a message to another ActivityPub server.
The public key for a user is used to validate the ActivityPub user.

The vulnerable code is:

on github

The initRequest method disables verifying of the peer’s certificate by setting CURLOPT_SSL_VERIFYPEER to FALSE.

This code is called from CurlService.php

check this one also

This issue has been tested on Nextcloud version version with Social version 0.3.1.


An attacker can perform a man-in-the-middle attack by impersonating the victim server by using a self-signed TLS certificate.

The attacker would have to be in a privileged network position between the Nextcloud instance and the target ActivityPub server.


Update to any version up to 0.3.1